Splunk Phantom default credentials, script options, and sample configuration files
This section has the default Splunk Phantom credentials, script options and example configuration files.
Default credentials
The default credentials on a new installation of Splunk Phantom are:
SSH accounts for virtual machine image (.OVA), unprivileged installations
- Username: phantom
- Password: password
Web Interface
- Username: admin
- Password: password
The default credentials of a new AMI installation of Splunk Phantom are:
SSH accounts:
- Username: phantom
- Password: None. You must use the SSH key created when deploying the AMI version of Splunk Phantom.
Web Interface
- Username: admin
- Password: <full AWS instance ID>
You should change the default passwords immediately after you install Splunk Phantom.
Installation or configuration scripts
This section lists various installation scripts and their command line options.
phantom_tar_install.sh options
Use these arguments to control the phantom_tar_install.sh
script. Only use this to install Splunk Phantom as an unprivileged user.
Option | Argument | Description |
---|---|---|
install | --https-port=HTTPS_PORT | Set the custom HTTPS port for Splunk Phantom. |
--no-prompt | Run the script without a confirmation prompt. | |
--without-apps | Do not install any of the apps that ship with Splunk Phantom. Apps can be installed later using the GUI. | |
--no-space-check | Do not check for available space in /tmp before attempting to install. | |
upgrade | --no-prompt | Run the script without a confirmation prompt. |
--without-apps | Do not install any of the apps that ship with Splunk Phantom. Apps can be installed later using the GUI. | |
--no-space-check | Do not check for available space in /tmp before attempting to install. |
Below is an example command that will install Splunk Phantom without installing any of the apps that ship with Splunk Phantom:
phantom_tar_install.sh install --without-apps
phantom_setup.sh options
Use these arguments to control the phantom_setup.sh
script.
Option | Argument | Description |
---|---|---|
install | --no-prompt | Run the script without a confirmation prompt. |
--without-apps | Do not install any of the apps that ship with Splunk Phantom. Apps can be installed later using the GUI. | |
--no-space-check | Do not check for available space in /tmp before attempting to install. | |
--non-root | Run the watchdog daemon with reduced privileges. | |
--yumopts="..." | Additional parameters to pass to yum. | |
--mingit | Installs a minimal Git package without the Perl Git module. | |
--rhsc-psql | Installs PostgreSQL from Red Hat Source Collections. | |
--version | Specify which version of Splunk Phantom to install. | |
upgrade | --no-prompt | Run the script without a confirmation prompt. |
--without-apps | Do not install any of the apps that ship with Splunk Phantom. Apps can be installed later using the GUI. | |
--no-space-check | Do not check for available space in /tmp before attempting to install. | |
--non-root | Run the watchdog daemon with reduced privileges. | |
--yumopts="..." | Additional parameters to pass to yum. | |
--version | Specify which version of Splunk Phantom to install. |
make_server_node.pyc options
Use these options to control the make_server_node.pyc
command.
Argument | Description |
---|---|
--version | Displays the program's version number. |
--help | Display a list and description of arguments. |
--no-prompt | Run the program. Do not display the warning prompt. |
Convert an OVA install of Splunk Phantom into a server node for a cluster. A server node provides one or more of the services a cluster requires, such as proxy, database, file share, or search endpoint.
Argument | Description |
---|---|
all | This is the default option. Install HAProxy, PostgreSQL, GlusterFS, and Splunk on this node. This option creates a best effort version of mcn_responses.json to be used with make_cluster_node.pyc .
|
fs | Create and configure a single node GlusterFS file share on this node for Splunk Phantom. The directory tree starts with /opt/phantom/shared .
|
db | Create the Splunk Phantom PostgreSQL database on this node to act as an external database. |
proxy | Install HAProxy to act as a load balancer for the Splunk Phantom cluster. |
splunk | Install Splunk Enterprise to act as remote search endpoint for the cluster. |
make_cluster_node.pyc options
Convert an OVA install of Splunk Phantom into a cluster node for a cluster. A cluster node is a single instance of Splunk Phantom supported by one or more server nodes.
Argument | Description |
---|---|
--responses | Send prepared responses from mcn_responses.json or responses.json to the script.
|
--record | Create to a responses.json file to use when running this script on another node. This version of the file does contain passwords.
|
--record-no-secret | Create to a responses.json file to use when running this script on another node. This version of the file does not contain passwords.
|
--record-location | Set the location to record the responses.json file. The default is /opt/phantom/bin/response.json .
|
--delete-responses-file | Delete the responses file used from the machine with the script completes. |
--version | Show the program version number and exit. |
Some versions of the responses.json
file contain passwords. The mcn_responses.json
file contains secrets such as usernames and passwords in plain text. Store it in a secure location or delete it after the cluster configuration is complete.
Configuration files
This section contains example configuration files. Use these as a guide when configuring items for use in your Splunk Phantom deployment.
HAProxy Configuration ##-------------------------------------------------------------------- ## HAPROXY 1.8.7 CONFIGURATION FILE ##-------------------------------------------------------------------- #--------------------------------------------------------------------- # global settings #--------------------------------------------------------------------- global tune.ssl.default-dh-param 2048 log 127.0.0.1:514 local0 #--------------------------------------------------------------------- # common defaults #--------------------------------------------------------------------- defaults mode http timeout connect 0ms timeout client 0ms timeout server 0ms log global #--------------------------------------------------------------------- # SSL w/ redirect to HTTPS #--------------------------------------------------------------------- frontend localhost bind *:80 bind *:443 ssl crt /etc/haproxy/certificates no-sslv3 no-tlsv10 ciphers <ciphers go here> # for unprivileged installs, add another declaration # bind *:<your https port> ssl crt /etc/haproxy/certificates no-sslv3 # no-tlsv10 ciphers <ciphers go here> redirect scheme https if !{ ssl_fc } mode http default_backend nodes #--------------------------------------------------------------------- # backend (output) #--------------------------------------------------------------------- backend nodes mode http balance roundrobin option http-keep-alive option forwardfor cookie SRVNAME insert option httpchk GET /check HTTP/1.1\r\nHost:\ www.example.com http-check expect status 200 default-server fastinter 1s downinter 5s server <phantom node UUID> <IP Address>:443 cookie <phantom node UUID> check ssl verify none http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc }
Migrate a Splunk Phantom install from REHL 6 or CentOS 6 to RHEL 7 or CentOS 7 |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!